25 AI vendors — DPA status, training policy, EU residency, and DPA link in one table.
| Vendor / Product | Plan | DPA available? | Trains on your data? | EU data residency? | DPA / privacy link |
|---|---|---|---|---|---|
| Anthropic Claude API | API | ✅ Yes | ❌ No | ❌ US + SCCs | privacy.anthropic.com/dpa |
| Claude.ai | Free / Pro | ❌ No | ⚠️ May be used | ❌ No | N/A |
| OpenAI API | API | ✅ Yes | ❌ No (since Mar 2023) | ❌ US + SCCs | platform.openai.com/privacy |
| ChatGPT | Free / Plus | ❌ No | ⚠️ Yes (opt-out available) | ❌ No | N/A |
| ChatGPT Team | Team ($30/user) | ✅ Yes | ❌ No | ❌ US + SCCs | openai.com/policies/data-processing-addendum |
| ChatGPT Enterprise | Enterprise | ✅ Yes (custom) | ❌ No | ❌ US + SCCs | Via OpenAI sales |
| Azure OpenAI | Azure | ✅ Yes (MSDPA) | ❌ No | ✅ EU regions available | Microsoft DPA |
| Google Gemini API (AI Studio) | Free | ❌ No | ⚠️ Yes | ❌ No | N/A |
| Google Vertex AI (Gemini) | Google Cloud | ✅ Yes | ❌ No | ✅ EU regions available | Google Cloud DPA |
| Google Workspace (Gemini) | Business / Enterprise | ✅ Yes | ❌ No | ✅ EU regions available | Google Workspace DPA |
| Mistral AI API | API | ✅ Yes | ❌ No | ✅ EU-native (France) | mistral.ai/terms/dpa |
| AWS Bedrock | AWS | ✅ Yes (AWS DPA) | ❌ No | ✅ EU regions available | aws.amazon.com/compliance/data-privacy |
| Amazon Q | Business / Pro | ✅ Yes (AWS DPA) | ❌ No | ✅ EU regions available | AWS service terms |
| Cohere API | API | ✅ Yes | ❌ No | ❌ Canada/US + SCCs | cohere.com/privacy |
| GitHub Copilot | Individual | ❌ No | ⚠️ Yes (opt-out available) | ❌ No | N/A |
| GitHub Copilot | Business | ✅ Yes (GitHub DPA) | ❌ No | ❌ US + SCCs | github.com/customer-agreement |
| GitHub Copilot | Enterprise | ✅ Yes | ❌ No | ❌ US + SCCs | Included in enterprise agreement |
| Cursor | Individual | ❌ No | ❌ No (telemetry off) | ❌ No | N/A |
| Cursor | Teams | ✅ Yes | ❌ No | ❌ US + SCCs | cursor.com/privacy |
| Microsoft Copilot | Free / Pro | ❌ No | ⚠️ May be used | ❌ No | N/A |
| Microsoft 365 Copilot | M365 Business/Enterprise | ✅ Yes (MSDPA) | ❌ No | ✅ EU regions available | Microsoft DPA |
| Perplexity | Consumer | ❌ No | ⚠️ May be used | ❌ No | N/A |
| Perplexity Enterprise | Enterprise | ✅ Yes | ❌ No | ❌ US + SCCs | Via Perplexity sales |
| Together AI | API | ✅ Yes | ❌ No | ❌ US + SCCs | together.ai/privacy |
| Hugging Face | Inference Endpoints | ✅ Yes | ❌ No | ✅ EU regions available | huggingface.co/privacy |
| Replicate | API | ✅ Yes | ❌ No | ❌ US + SCCs | replicate.com/privacy |
Key: ✅ Yes / ❌ No / ⚠️ Conditional or opt-out required
Last verified: May 2026. DPA terms change — always verify directly with the vendor before relying on this table for a compliance decision.
How to Read This Table
DPA available? — Whether a Data Processing Agreement covering GDPR Article 28 processor obligations is available for this plan tier. A DPA is required before you can legally send EU personal data to the vendor under GDPR.
Trains on your data? — Whether the vendor uses your inputs (prompts, outputs, code, documents) to train or improve their foundation models. "No" means the vendor's policy states they do not use your data for training. A DPA gives you a legal commitment; "No" on a free tier without a DPA is a policy statement only.
EU data residency? — Whether data can stay inside the EU. "EU regions available" means you can configure the service to process data in EU data centers without a cross-border transfer mechanism. "US + SCCs" means data is processed in the US, covered for EU transfers via Standard Contractual Clauses in the DPA.
DPA link — Where to find the self-serve DPA for the relevant tier.
The Core Pattern
Three rules explain almost every row in this table:
Rule 1: API tiers have DPAs; consumer tiers do not. The free ChatGPT, free Claude.ai, Google AI Studio, and personal Copilot are consumer products. If your team is using these with business data, you have no legal data processing framework. Switch to the API tier or an organizational plan.
Rule 2: EU residency requires either Microsoft, Google Cloud, Mistral, or Hugging Face (EU regions). If genuine EU data residency is a requirement (stricter than SCCs), these are your options. Anthropic and OpenAI direct route all traffic through US infrastructure.
Rule 3: "No training" on consumer tiers requires opt-out; on paid tiers it is default. ChatGPT (free) trains on your data by default — you must go to Settings > Data controls > Improve the model for everyone and disable it. On paid organizational plans (Team, Enterprise), the no-training commitment is default and backed by the DPA.
What "SCCs" Means for Your Team
Standard Contractual Clauses (SCCs) are the EU Commission's approved template contracts for transferring personal data from the EU to countries without an EU adequacy decision — including the US. A DPA that includes SCCs is sufficient for GDPR-compliant transfers to US-based AI vendors for most purposes.
If your legal team says "we can't use SCCs," the options are:
- Use an EU-residency provider (Azure OpenAI, Vertex AI, Mistral, AWS EU regions)
- Deploy a self-hosted open-source model (no vendor transfer)
- Anonymize all data before it leaves the EU (no personal data = no GDPR transfer restriction)
How to Verify a DPA Before Sending Data
Before your team sends any prompt containing personal data to an AI vendor:
- Confirm the tier: Is your team on a plan that includes a DPA? If in doubt, check the vendor's pricing page — DPA availability is usually listed under compliance features.
- Access the DPA: Follow the self-serve link in the table above. For enterprise agreements, ask your account manager.
- Check for SCCs: For non-EU vendors, confirm the DPA includes EU Standard Contractual Clauses or that the vendor has an EU adequacy decision equivalent.
- Note the sub-processor list: GDPR requires you to know who the vendor shares data with. The DPA should include a sub-processor list or a URL to one.
- Record it: Add the DPA link, date accessed, and the specific product/tier to your AI tool register.
Vendors Not in This Table
If an AI tool your team uses is not in this table and you cannot find a DPA in their privacy documentation:
- The tool is likely a consumer product without a DPA — treat it as non-compliant for EU personal data
- Check the vendor's "for business" or "enterprise" page — DPA availability is often listed there
- If you cannot find a DPA after 5 minutes of searching, the vendor probably does not offer one for the tier you are on
For tools that handle EU personal data and cannot provide a DPA, your options are: stop using the tool for data involving EU residents, require employees to anonymize data before use, or replace the tool.
Using This Table in an AI Tool Register
When you add an AI tool to your team's AI tool register, record:
| Field | What to capture |
|---|---|
| Tool name and vendor | Full name + parent company |
| Plan tier | Which plan you're on — DPA availability varies by tier |
| DPA confirmed? | Yes (with date) / No / In progress |
| DPA link | Direct URL to the DPA document you accepted |
| Training opt-out confirmed? | Yes (with date) / Not applicable (DPA covers this) |
| EU data residency | Required / Available and configured / Not required |
| Sub-processor list URL | Link to the vendor's current sub-processor list |
This creates an audit trail showing you assessed each vendor's data handling before deploying.
References
- Anthropic: privacy.anthropic.com
- OpenAI: openai.com/policies
- Microsoft: microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
- Google Cloud: cloud.google.com/terms/data-processing-addendum
- Mistral: mistral.ai/terms/dpa
- EU GDPR Article 28: Processor obligations
- EU GDPR Chapter V: Transfers to third countries
- Related: Privacy-first AI APIs for GDPR compliance
- Related: AI tool register template
